EH-Net

Hey,

I was working in a lab trying to pwn a given host, so I more or less did the following:

1) Ran nmap: May ports are open
2) Ran Nessus: MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)
3) Metasploit: search MS08-067
4) Metasploit: use exploit/windows/smb/ms08_067_netapi

So this was pretty easy. This host was so full of holes that I could have probably used many other exploits (Nessus found 22 red ones...). But I then tried to figure out how Nessus was able to find this vulnerability and this is where I hit a wall...

I was able to easily find the OS and open ports like these:
Does this nmap output tells you something like: "That's obviously a ms08_067_netapi vulnerability that we have here!". For me, without Nessus, I would have never tried this exploit...

So what approach do you guys use? Do you have a set of very powerful exploits that you try at targets that simply match the OS and maybe a port? Or is there some voodoo that you can do to go from this nmap output to this exploit?

I found more details about it at http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi (http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi)

I feel like a script kiddy now...  :-\

I think the clues to try this exploit are the OS and that port 445 is open.

That Metasploit link you posted shows the OS in the vulnernable OS list.  Plus, the RHOST lines defaults to 445 [SMB service port.  (side question:  Is this port configurable if you're setting up the network in a production environment?)].

I'm not a pentester by day though, just from what I've gathered in my own lab awhile back when messing with that exploit.

There are a few factors that a scanner looks for, but it breaks down to the following:

1) OS & version
2) OS language pack (on occasion)
3) Version of the application in question

Even if all three match a particular exploit, it may not work - there are ways to mitigate exploits from a defensive side.

Whenever I see 445 open and the box is XP ish... I always look for 08-067.

To know how the scanner checks for this particular vulnerability you can look at the details of the vulnerability to learn how its triggered. In this case, I cheated and looked at smb-check-vulns.nse, which is an nmap script.

On line 130 of the script you see "---Check if the server is patched for MS08-067. This is done by calling NetPathCompare with an -- illegal string. If the string is accepted, then the server is vulnerable; if it's rejected, then -- you're safe (for now). "

In the code you see what he does to check for 08-067 and it begins to makes sense...

   -- Call netpathcanonicalize
--   status, netpathcanonicalize_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\a", "\\test\\")
   
   local path1 = "\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\..\\n"
   local path2 = "\\n"
   status, netpathcompare_result = msrpc.srvsvc_netpathcompare(smbstate, host.ip, path1, path2, 1, 0)

   -- Stop the SMB session
   msrpc.stop_smb(smbstate)

   if(status == false) then
      if(string.find(netpathcompare_result, "UNKNOWN_57") ~= nil) then
         return true, INFECTED
      elseif(string.find(netpathcompare_result, "INVALID_NAME") ~= nil) then
         return true, PATCHED
      else
         return true, UNKNOWN, netpathcompare_result
      end
   end


   return true, VULNERABLE
end

Great question and answers.

Thank you for your answers, lorddicranius, Grendel and cd1zz!

@cd1zz: I have read the nse script and you are right, it is very obvious when you cheat!

From lorddicranius:

From cd1zz:

That's what I was thinking. If you don't have access to a vulnerability scanner, but only nmap without the .nse scripts, it's pretty tough to find an exploit unless you have already used it or seen it before.

In my original post, I mentioned:

So let's say MS08-067 is patched and you can't use Nessus, OpenVAS, or any nmap scripts. The approach has to be that, based on experience, you would do like Grendel mentioned and first look at the OS, the open ports and the services fingerprints.

But still, for example, it's one thing to see that Apache 1.2.3 is running an find an exploit for it (quite easy), but in my example above, you have to know about it...

So here's what I will do from now on: use these vulnerability scanners in the lab and whenever I can to find the vulnerabilities, but instead of just running the corresponding exploit and forget about it, I will take very, very good notes and add it to my toolbox.

Again, other than when the service is very well documented (like in my Apache 1.2.3 example), I am just afraid of the times when I won't be able to use a scanner. Getting something like this:


It will be tough to find the exploit I have never used...

In my case in the lab I make sure the OS and version of the service in that port, and then I begin to look for the vulnerability and begin to test one by one.

I like the way you think H1t M0nk3y!  It's one thing to scan and assume but a whole other thing to test beyond that of the scanner.  Sometimes a scanner like Nessus may just guess at the vulnerability by factoring what it does know.  But other times it sends test data, I've personally seen this when I ran it against some public facing Web App servers.  I turned on the Web App Testing setting and then reviewed the results.  Basically it did the quick tests for XSS and SQLi where appropriate.  Not enough to break anything but, like nmap, just a quick sample request to see if the vulnerability exists.  Other results you see it makes its decision based on OS, service version etc.. 

Then you're going to need to obtain as much information about the system and services as you can and do some research at the National Vulnerability Database, Open Source Vulnerability Database, ExploitDB, within Metasploit, Google, etc. You might not be able to pinpoint an exact match and will have to take a trial-and-error approach with several potential exploits.

That's what I have been doing more lately.

Yes, that's why very short contracts to perform pentests on many hosts requires vulnerability scanners. Otherwise, you need lots of experience (and there is always something new!) or lots of time...